some links for you

i read it all so you don't have to - 5/7/2020

May 7, 2020

Facebook has to comply with local laws. This has been a problem for them in Vietnam, where for years now the local law has been don’t criticize the government on facebook.

Reuters reported this in April and I am surprised it didn’t get more attention. Facebook was forced into better compliance with the government’s legal activist suppression orders.

Facebook's local servers in Vietnam were taken offline early this year, slowing local traffic to a crawl until it agreed to significantly increase the censorship of "anti-state" posts for local users, two sources at the company told Reuters on Tuesday.
The restrictions, which the sources said were carried out by state-owned telecommunications companies, knocked the servers offline for around seven weeks, meaning the website became unusable at times.

There are two problems here. The state control of telecoms and facebook being a nice big and easy target to negotiate with. Of course my mind went to mesh networks and decentralized social media. One day…

A Financial Times journalist reflected on their experience living under extreme contact tracing and passporting while in Wuhan.

At one point in Wuhan, I received a call from a government minder. She said several journalists’ codes had turned yellow and asked if mine had too. When I replied it had, she told me I should not leave my hotel room until it turned green, despite knowing this was a glitch. “We must adhere to the conditions of the system,” she said.

And what worries me most:

In China, many of the restrictions on movement are now being lifted and life is returning to normal. But the code system still lingers in many places. The temptations of keeping such a system of control in place, or even to centralise and strengthen it, must hold a strong attraction for the Chinese government.

I understand that it’s an emergency and people who are fretting about privacy can be seen as just getting in the way. But to say the concerns are totally unjustified is nuts.

Meanwhile, in India

Zack Whittaker @zackwhittaker

New, by me: India's largest telecom Jio exposed one of its databases storing records of users' coronavirus self-check results. No password on the database. Much of the data was anonymous, but many records also contained a user's precise geolocation.

Security lapse exposed Jio coronavirus self-test records – TechCrunchExclusive: The database contains answers to Jio’s coronavirus symptom checker and optional location data.techcrunch.com

Probably not good:

From one sample of data we obtained, we found thousands of users’ precise geolocation from across India. TechCrunch was able to identify people’s homes using the latitude and longitude records found in the database.

This hits on a critical part of the discussion around privacy. Yes there is risk of authorized users of the data abusing it somehow. But perhaps even greater is the risk that this centralized honeypot of valuable user information might leak or be abused by an attacker somehow.

I am always interested in insider threats. So much of our thinking around privacy involves trusting the people who have regular access to our data. But people can be bribed, as the makers of Roblox learned.

A hacker bribed a Roblox worker to gain access to the back end customer support panel of the massively popular online video game, giving them the ability to lookup personal information on over 100 million active monthly users and grant virtual in-game currency.
With this access, the hacker could see users' email address, as well as change passwords, remove two-factor authentication from their accounts, ban users, and more, according to the hacker and screenshots of the internal system. The screenshots shared with Motherboard include the personal information of some of the most high profile users on the platform.

This is a sensitive topic for me because someone once used insider access to SIM swap me in an attempt to steal my precious coins. It is apparently quite common to bribe or blackmail support reps of the major phone companies. As Brian Krebs has covered often:

If you are somehow under the impression that you — the customer — are in control over the security, privacy and integrity of your mobile phone service, think again. And you’d be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel.
No, a series of recent court cases and unfortunate developments highlight the sad reality that the wireless industry today has all but ceded control over this vital national resource to cybercriminals, scammers, corrupt employees and plain old corporate greed.

Trust can be broken people.

American journalists working in China have been expelled recently. Here’s a thread reflecting on some of their work documenting the horrible abuses of the Chinese government.